Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

Transcription

1 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide July

2 Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement NetIQ Corporation. All Rights Reserved. For information about NetIQ trademarks, see

3 Contents About this Book and the Library 7 About NetIQ Corporation 9 1 Introduction to Deploying or Upgrading the Appliance 11 2 Requirements Appliance Requirements CSV File Requirements Password Requirements Understanding How the Account Management Service Handles Password Understanding the Password Policy Appliance Installation Worksheet Deploying and Initializing the Account Management Service Appliance Providing a Link to the Appliance for Your Tenants Deploying the Appliance Determining which OVF File to Use Importing an OVF File with DHCP Importing an OVF File without DHCP Initializing the Appliance Getting Started Logging In to the Tenant Console Accessing the Account Management Service Appliance Administration Console Registering the Appliance Understanding the Status Icons Viewing Recommended Actions Configuring the Appliance Configuring Network Options Configuring the Forward Proxy Configuring the Routing Table Changing the Certificates on the Appliance Configuring Clustering for the Appliance Advantages of Clustering Managing Nodes in the Cluster Configuring an L4 Switch for Clustering Importing Data 31 7 Mapping Schema Schema Mapping for the Connector for LDAP Schema Mapping for the Connector for JDBC Contents 3

4 8 Populating Identity Data Exporting Identity Data to a CSV File Populating Identity Data to the IdentityAccess Service Populating Identity Data to a JDBC Database Meeting the Requirements Obtaining the Script Files Configuring the Connector for JDBC Populating the JDBC Database Populating Identity Data to LDAP Directories Meeting the Requirements Configuring the Connector for LDAP Mapping Authorizations Prerequisites Loading Authorizations Reloading Authorizations Mapping Authorizations Configuring Account Claim for Users Configuring Self-Service User Store for Account Claim Using the Account Claim Service Using Identity Manager Drivers Restrictions for the Identity Manager Drivers Importing the Identity Manager Drivers Exporting or Publishing the Connector Template Displaying Connectors for Tenants Configuring the Identity Manager Drivers Reporting Viewing Users and Groups Using Google Analytics as an External Dashboard Configuring the Appliance to Forward Events to Sentinel Log Manager Configuring the Appliance to Forward Events to a Syslog Server Maintenance Tasks Configuring Session Timeouts Changing the IP Address Changing Public DNS Name or NTP Server Settings, or Uploading New Certificates Updating the Appliance Shutting Down or Rebooting a Node Recovering from a Disaster Upgrading the Appliance Troubleshooting Troubleshooting the Appliance Initialization Displaying Health Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

5 15.3 Using Troubleshooting Tools Troubleshooting Different States Master Node Health Front Panel of the Node Top of the Node Tools Troubleshooting Networking Issues Troubleshooting the Connector for LDAP Troubleshooting Automatic s for Users Passwords Contents 5

6 6 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

7 About this Book and the Library The Identity as a Service Powered by NetIQ Account Management Service Installation and Configuration Guide provides installation and configuration information for the Account Management Service. Intended Audience This book provides information for providers and tenants that deploy and configure the Account Management Service appliance. Other Information in the Library The library provides the following information resources: Identity as a Service Powered by NetIQ Solution Overview Guide Provides overview and architectural information about the services included in the Identity as a Service Powered by NetIQ solution. Identity as a Service Powered by NetIQ Services Director Installation Guide Provides detailed planning and installation information for the Services Director. Identity as a Service Powered by NetIQ Provider Administration Guide Provides step-by-step guidance for the many tasks a provider performs for tenants. The guide also contains information on how to manage and maintain your Services Director. Identity as a Service Powered by NetIQ Tenant Administration Guide Provides step-by-step guidance for the tasks a tenant performs. Identity as a Service Powered by NetIQ IdentityAccess Service Installation Guide Provides detailed installation information for the IdentityAccess Service appliance. Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide Provides detailed configuration and administration information for the IdentityAccess Service appliance. Identity as a Service Powered by NetIQ IdentityAccess Service Connectors Guide Provides detailed installation and configuration information for the connectors that you use with the IdentityAccess Service appliance. Identity as a Service Powered by NetIQ IdentityAccess Service Mobile Users QuickStart Contains basic steps for the users to configure and use the MobileAccess service that is part of the IdentityAccess Service. About this Book and the Library 7

8 Identity as a Service Powered by NetIQ Privileged Account Manager Service Guide Provides installation and configuration information on how to make NetIQ Privileged Account Manager a service that the Services Director hosts. Identity as a Service Powered by NetIQ Technical References Provide more detailed information about different features of the Identity as a Service Powered by NetIQ solution. Help Provides context-sensitive information and step-by-step guidance for common tasks. 8 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

9 About NetIQ Corporation We are a global, enterprise software company, with a focus on the three persistent challenges in your environment: Change, complexity and risk and how we can help you control them. Our Viewpoint Adapting to change and managing complexity and risk are nothing new In fact, of all the challenges you face, these are perhaps the most prominent variables that deny you the control you need to securely measure, monitor, and manage your physical, virtual, and cloud computing environments. Enabling critical business services, better and faster We believe that providing as much control as possible to IT organizations is the only way to enable timelier and cost effective delivery of services. Persistent pressures like change and complexity will only continue to increase as organizations continue to change and the technologies needed to manage them become inherently more complex. Our Philosophy Selling intelligent solutions, not just software In order to provide reliable control, we first make sure we understand the real-world scenarios in which IT organizations like yours operate day in and day out. That's the only way we can develop practical, intelligent IT solutions that successfully yield proven, measurable results. And that's so much more rewarding than simply selling software. Driving your success is our passion We place your success at the heart of how we do business. From product inception to deployment, we understand that you need IT solutions that work well and integrate seamlessly with your existing investments; you need ongoing support and training post-deployment; and you need someone that is truly easy to work with for a change. Ultimately, when you succeed, we all succeed. Our Solutions Identity & Access Governance Access Management Security Management Systems & Application Management Workload Management Service Management About NetIQ Corporation 9

10 Contacting Sales Support For questions about products, pricing, and capabilities, contact your local partner. If you cannot contact your partner, contact our Sales Support team. Worldwide: United States and Canada: Website: Contacting Technical Support For specific product issues, contact our Technical Support team. Worldwide: North and South America: Europe, Middle East, and Africa: +353 (0) Website: Contacting Documentation Support Our goal is to provide documentation that meets your needs. The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at documentation. You can also [email protected]. We value your input and look forward to hearing from you. Contacting the Online User Community NetIQ Communities, the NetIQ online community, is a collaborative network connecting you to your peers and NetIQ experts. By providing more immediate information, useful links to helpful resources, and access to NetIQ experts, NetIQ Communities helps ensure you are mastering the knowledge you need to realize the full potential of IT investments upon which you rely. For more information, visit 10 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

11 1 1Introduction to Deploying or Upgrading the Appliance The NetIQ Account Management Service allows you to import your identity data, more than likely from an HR system, in to a flat, defined structure. It then allows you to use that identity data to populate connect systems including IdentityAccess Service. For more information, see NetIQ Account Management Service Architecture in the Identity as a Service Powered by NetIQ Solution Overview Guide. If this if the first deployment of the appliance, ensure that you meet all of the requirements before deploying the appliance. For more information see Chapter 2, Requirements, on page 13. If you have deployed the appliance, there are two different ways to update the software for the appliance: Update: An update allows you to update the software on the appliance if there is a change in the minor versions or if there are security updates. For example, you can update the appliance from 2.1 to 2.2. For more information, see Section 13.4, Updating the Appliance, on page 56. Upgrade: An upgrade is for a major version change of the appliance. For example, you must perform an upgrade from version 2.2 to version 3.0. The upgrade process is different from the update process. For more information, see Chapter 14, Upgrading the Appliance, on page 59. Introduction to Deploying or Upgrading the Appliance 11

13 2 2Requirements The Account Management Service is an appliance that you must deploy for each tenant to use this service. The appliance is an OVF file. Review the requirements in this section before deploying the appliance. 2.1 Appliance Requirements Verify you meet the following requirements before starting the installation of the appliances. Table 2-1 Account Management Service Appliance Requirements Components Supported Virtual Environments Virtual System Guest Requirements Cluster Requirements Hyper-V in Windows Server 2012 R2 VMware vsphere and vsphere Hypervisor 5.0 VMware vsphere and vsphere Hypervisor 5.5 Minimum hardware requirements for each appliance node in the cluster: 60 GB disk space 2 Cores 8 GB RAM A best practice is to group or separate virtual machines on hosts and data stores to avoid resource conflicts for CPU, disk I/O, and network bandwidth. Supported cluster configuration: Up to a five-node cluster For optimal performance, each node should reside in the same IP subnet NOTE: The L4 switch must be configured with the publicly resolvable DNS of the cluster before you initialize the appliance. Browsers Administration: Supported browsers for administration tasks: Mozilla Firefox on Windows 7 or 8.1 Google Chrome on Windows 7 or 8.1 Microsoft Internet Explorer 11 on Windows 7 or 8.1 Apple Safari on OS X Mavericks or later You must disable pop-up blockers to access the administration consoles. NOTE: Administration tasks are not supported on mobile devices. NOTE: If you experience any issues with a supported browser, ensure that you have the latest version of the browser installed, or try another supported browser. Administering the appliance with Internet Explorer might be slower than with other supported browsers. Requirements 13

14 2.2 CSV File Requirements The Account Management Services appliance requires that the CSV file contains certain fields. There are only two required fields: UserName and LastName. The CSV fields are the defined schema for the CSV file. For more information, see Chapter 7, Mapping Schema, on page 33. The following is a list of all of the supported fields for the CSV field in the Account Management Service appliance. The fields are comma delimited and the fields are case sensitive. AccessCardNumber City Company CostCenter CostCenterDescription Country Department Description DepartmentNumber EmployeeStatus EmployeeType FaxNumber FirstName FullName GenerationalQualifier Group InstantMessengerID JobCode LastName Location Mailstop ManagerWorkforceID MiddleInitial MobileNumber OfficeNumber PagerNumber Password POBox PostalCode PreferredLanguage PreferredName Prefix State 14 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

15 StreetAddress TelephoneNumber Title UserName WorkforceID The Group field is an optional field. If the Group field is present in the CSV file, Account Management Service creates the group, then it designates the user as a member of the group. You can use multiple groups, and multiple input records in the same CSV file with different group values. For example: UserName,LastName,FirstName,Password,Group inputuser1,user1,input1,mysecret,group7 inputuser1,user1,input1,mysecret,group8 The example adds the inputuser1 in to group7 and group8. The Password field is also an optional field. Depending on whether you use this field or use the Account Claim feature, the appliance handles passwords differently. For more information, see Section 2.3, Password Requirements, on page Password Requirements Account Management Service automatically handles users passwords. However, you need to understand how the appliance handles the passwords. Also the appliance contains a password policy that users must follow when setting their own passwords through the account claim process Understanding How the Account Management Service Handles Password Account Management Service manages user account including passwords for the users. The appliance can import users passwords through the CSV file. If you use the Password field, Account Management Service sets the user s password to the value you enter in the CSV file. If you do not use the Password field, Account Management Service sets the imported user s password to a random, 12 character alpha-numeric password on the initial import. In order for Account Management Service to create the users, the appliance must set a value for each user s password. This password is temporary, whether it came from the CSV file or the appliance generated it. Account Management Service stores a copy of the users and their passwords in the local identity store. These passwords are temporary and each user changes their password through the account claim feature of Account Management Service. For more information, see Chapter 10, Configuring Account Claim for Users, on page 45. If you configured Account Management Service to automatically trigger any provisioning activity when the CSV file import occurs, Account Management Service sets the temporary password for the user in the connected system. When the user changes their password, Account Management Service synchronizes the password change to the connected system. Requirements 15

16 2.3.2 Understanding the Password Policy Account Management Service contains a password policy that users must follow when changing their passwords through the account claims feature. The users access the URL ( appliance_dns_name/ssus) provided through the automatic s to change their password. The users passwords must meet the following criteria: The password is case sensitive. Must be at least six character long. Must not include any of the following values: password test Must not include part of your name or your user name. Must not include a common word or commonly used sequence of characters. You cannot change the password policy and the users see the password policy when they change their password. 2.4 Appliance Installation Worksheet Use the following worksheet to gather the required information to install and configure the appliance. Table 2-2 Appliance Installation Worksheet Networking Information Your Information Publicly resolvable DNS name for the appliance NTP server DNS server, subnet mask, and gateway (Recommended) An SSL certificate signed by a wellknown certificate authority (CA) Services Director DNS name of the Services Director The tenants name and password 16 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

17 3 3Deploying and Initializing the Account Management Service Appliance After you have installed the Services Director framework you can install the Account Management Service appliance. For more information, see Identity as a Service Powered by NetIQ Services Director Framework Installation Guide. 3.1 Providing a Link to the Appliance for Your Tenants You can provide a direct link to an FTP server for your tenants to be able to download the appliance VM image. To provide a download link: 1 Log in to the provider consoles as administrator. Director_DNS_Name/css/Provider 2 In the Security Services panel, click Account Management Service. 3 Click the Properties tab. 4 Click NCSService Component image Location. 5 Add the location of the VM image on your FTP server, then click Save. Tenants see a link to download the VM image when they log in to the tenant console. The tenant console displays the link in the Security Services panel. 3.2 Deploying the Appliance The appliance is an Open Virtualization Format (OVF) virtual appliance that you must deploy to your host server. NetIQ provides OVF files of the virtual images. Use the following sections to launch the appropriate virtual image on your host server Determining which OVF File to Use NetIQ provides different OVF files for the different versions of VMWare and whether you have DHCP or not in your environment. After you have downloaded the appliance VM image, you must extract the file to access the available OVF file. Use the following table to determine which OVF file you need. Table 3-1 OVF Files File Name ams.trunk.ovf Description When you deploy Account Management Service in an environment with DHCP, use this file. For instructions, see Section 3.2.2, Importing an OVF File with DHCP, on page 18. Deploying and Initializing the Account Management Service Appliance 17

18 File Name ams.trunk-vcenter.ovf Description When you deploy Account Management Service in an environment without DHCP or you want to use VMware vcenter Server to configure the networking options, use this file. use this file. For instructions, see Section 3.2.3, Importing an OVF File without DHCP, on page Importing an OVF File with DHCP If you have DHCP in your environment, use this procedure. You can select to continue to use DHCP or assign a static IP address to the appliance during the initialization process. To import the OVF file: 1 Copy the cis.trunk-vcenter.ovf file to a Windows computer. For more information, see Section 3.2.1, Determining which OVF File to Use, on page On the Windows computer, run the VMware vsphere client. This client runs only on a Windows computer and is available for download from your ESX or ESXi server. To download the client, enter the IP address of the server as a URL in a browser, then log in. 3 From the toolbar, select File > Deploy OVF Template. 4 Follow the prompts to deploy the OVF file. TIP: If you deploy the appliance using the ovftool, you can configure the appliance properties from the command line and auto-start the VM so you do not have to use the vsphere client to configure the properties before starting the VM. 5 To start the VM image, in the toolbar, click Power on (green arrow icon). 6 To activate the mouse and keyboard for the console, click inside the console window. 7 Power on the appliance. The initial boot configures the appliance. The initial boot could take between five and twenty minutes for the configuration to complete. When the appliance is ready, it displays a welcome message with the initialization URL Importing an OVF File without DHCP If you want to use VMware vcenter Server or if you do not have DHCP available in your environment, use this procedure. By using the OVF template, you can define your IP address and any additional network setting through VMware vcenter Server. When the initialization for the appliance occurs, the template has already configured your networking settings. To import the OVF file: 1 Copy the cis.trunk.ovf file to a Windows computer. For more information, see Section 3.2.1, Determining which OVF File to Use, on page On the Windows computer, run the VMware vcenter client for vsphere. This client runs only on a Windows computer and is available for download from your vsphere or vsphere Hypervisor server. 18 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

19 To download the client, enter the IP address of the server as a URL in a browser, then log in. 3 From the toolbar, select File > Deploy OVF Template. 4 Follow the prompts. 5 In the Properties step, select auto-configure, then specify your network configuration information for the VM image. 6 Continue following the prompts. 7 Power on the appliance. The initial boot configures the appliance. The initial boot could take between five and twenty minutes for the configuration to complete. When the appliance is ready, it displays a welcome message with the initialization URL Initializing the Appliance Before initializing the appliance, verify that you meet the requirements listed in Chapter 2, Requirements, on page 13. To initialize the appliance: 1 From a supported browser, access the initialization web interface at the URL displayed on the appliance screen after it is deployed. For example: NOTE: This URL is case-sensitive, so ensure that you enter the non-variable portions of the URL exactly as illustrated. 2 Use the following information to initialize the appliance. Join Cluster: Select Join Cluster only if you are initializing an appliance to add to an existing cluster. The first appliance that you configure automatically becomes the master node in the cluster Network: Use the following information to configure or validate your network settings. IP Address: Select whether to use a DHCP server to provide the networking information for the appliance or use a static IP address for the appliance. If you used the VMware vcenter Server OVF file, these fields are already populated. NTP: Specify a network time protocol server. Time must be synchronized between the appliances in the cluster. Cluster Information: Specify the public DNS name for the appliance. This DNS name is the login page URL for your the tenants users. Services Director: Specify the public DNS name of the Services Director, and the tenant administrator's name and password. 3 Click Finish. A successfully initialized appliance automatically redirects the browser to the tenant console login page at Director_DNS_Name/css/. 4 Log in to the tenant console as a tenant administrator. Whenever you make changes to the appliance, click Apply and wait for the appliance to finish applying your changes. Do not attempt to perform any other administration tasks in the console until the gears have stopped spinning on the Node icon. Deploying and Initializing the Account Management Service Appliance 19

21 4 4Getting Started The Services Director contains a management console for tenants called the tenant console. The tenant console allows tenants to access the administration console for any services provided to the tenant. For example, tenants access the Account Management Service administration console through the tenant console. 4.1 Logging In to the Tenant Console To log in to the tenant console: 1 From a browser on a client computer, enter the URL the provider gave you. 2 Specify the following credentials to log in: Name: Specify the address that you gave to the provider administrator to create your user account. Password: Specify the password for the account. The default value is the address you specified for the name. 3 (Conditional) If this is your first login, follow the prompts to change your password. The password must contain at least one number. 4.2 Accessing the Account Management Service Appliance Administration Console To access the Account Management Service appliance administration console: 1 Log in to the tenant console as a tenant administrator. 2 In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 4.3 Registering the Appliance Account Management Service provides a 90-day trial period. If you do not register the appliance within 90 days after installation, the appliance stops working. The Bomb icon on the Admin page displays how many days are left in the trial period. For the purpose of meeting licensing requirements, when you register a single appliance, the cluster as a whole is considered to be registered. However, to use the Customer Center update channel to download and install software updates, you must register each node in the cluster separately. The Bomb icon remains on the Admin page if there are nodes in the cluster that have not yet been registered for channel updates. For more information about the update channel, see Section 13.4, Updating the Appliance, on page 56. To register your appliance: 1 Obtain the registration code from you NetIQ contact. Getting Started 21

22 You use the same registration code for all tenants. 2 Access the Admin page of the appliance. 2a Log in to the tenant console as a tenant administrator. 2b In the Security Services panel, next to Account Management Service, click the Launch administrative console icon. 3 In the Admin page, click the appliance, then click Register appliance. 4 Enter a valid address. The address is for notifications that updates are available. 5 Paste the registration code in the field. 6 Click Register. 7 Repeat Step 3 through Step 6 for each appliance in the cluster. 8 Repeat Step 1 through Step 7 for each tenant deployment of Account Management Service. When you have successfully registered all nodes in the cluster, the Bomb icon disappears. 4.4 Understanding the Status Icons The Services Director contains an embedded health system throughout the tenant console. In the different panels for the different components, there are colored status icons that have the following meanings: Green icons with a check mark indicate that the component is configured correctly and running as designed. Flashing green icons indicate that the component is working through its initialization process. In time, most flashing green icons change to a green icon. However, if an error occurs, the flashing green icon can change to a yellow or red icon. Red icons with an x indicate that a component is not functioning correctly. This can be because the component has not been configured, it is not communicating with the system, or it has been disabled. Gray icons indicate no components have been installed that currently meet the state. Blue icons with an i indicate informational alerts and messages. Yellow icons with an exclamation mark indicate warning items that probably need your attention. Red icons indicate conditions that need your attention because a component is not functioning correctly. 4.5 Viewing Recommended Actions The tenant console provides you with a list of recommended actions to maintain the health and functionality of your services. To view the recommended actions: 1 Log in to the tenant console as a tenant administrator. 2 In the System panel, click the link for the recommended action. 22 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

23 The Recommended Actions panel displays the current actions that need to be performed. When you are first configuring your system, this panel displays the next configuration actions that need to be performed. If multiple actions appear, they can be performed in any order. After you have performed the recommended action or actions, new actions might appear. Getting Started 23

25 5 5Configuring the Appliance The Account Management Service appliance allows you to configure different settings to make the appliance work best in your environment. 5.1 Configuring Network Options The Account Management Service appliance contains a manual routing table, supports two Network Interface Cards (NICs), and provides a forward proxy Configuring the Forward Proxy The forward proxy takes requests coming from the internal network and forwards these requests to the internet. NOTE: The forward proxy feature is intended only for testing purposes. The forward proxy is not supported in a production environment. To configure the forward proxy: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 In the Tools palette, drag the Forward Proxy icon to the Tools panel. 3 Use the following information to configure the forward proxy: Forward Proxy Server: Specify the IP address and port number for your proxy server. Ignore List: Specify any IP addresses with the associated DNS names that you want the forward proxy to ignore. For example, localhost. 4 Click OK to save your changes. Note that clicking OK causes the services to restart and you must log in to the appliance again Configuring the Routing Table The appliance provides a routing table for your use if your network has static routes. The routing table allows you to define the next hop in your network for the node in the cluster to reach the appropriate destination. To configure the routing table for each node: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. Configuring the Appliance 25

26 2 Click the Node icon, then select Configure. 3 Click the Routing tab. 4 Specify the appropriate Reverse Path Filter setting. Reverse path filtering is used to prevent packets that arrived through one interface from leaving through a different interface. If in doubt, leave the default setting of Strict mode, since it prevents users from spoofing IP addresses from local subnets and reduces the likelihood of distributed denial-of-service (DDoS) attacks. 5 Click the plus sign (+) icon to add a route. 6 Define the appropriate route, then click OK. 7 (Optional) Add additional routes. 8 Click Close. 9 Repeat Step 2 through Step 8 for each node in the cluster. 5.2 Changing the Certificates on the Appliance The appliance contains SSL and SAML self-generated certificates, by default both named ag4csrv1, but NetIQ highly recommends that you replace the default certificates with well-known Certificate Authority signed certificates. The required format for importing a key pair is.pfx. This format contains the private key, certificate, and trusted roots required to import. To change the certificates: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 Click the Cluster icon under Appliances, then click Configure. 3 Delete the default key pairs by clicking the red delete (X) icon next to the SSL key pair and the SAML key pair. 4 Browse to and select the certificates you want to use, then click OK. 5 In the Instructions window, click OK. 6 Click Apply and wait for the configuration changes to be applied to the appliance. Do not perform other administration tasks in the console while the changes are being applied. 7 Close your browser and reopen it to start a new session using the new key pairs. Expired key pair certificates prohibit changes from being made to this page and make the key pair field red. 5.3 Configuring Clustering for the Appliance You can cluster the Account Management Service appliance. By default, the appliance is a single node cluster, but the Services Director framework supports up to a five-node cluster. You add a node to the cluster by selecting Join Cluster during the initialization process Advantages of Clustering Clustering offers several advantages. Most of these advantages are available only if you configure an L4 switch or Round-robin DNS. The L4 switch is the best solution. 26 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

27 Disaster Recovery: Adding additional nodes to the cluster provides disaster recovery for your appliance. If one node stops running or becomes corrupt, you can promote another node to master. Scalability: Configuring an L4 switch with clustering increases the scalability of the appliance Managing Nodes in the Cluster The Services Director framework supports up to five nodes in a cluster. You add nodes to the cluster through the initialization process, and perform all other initialization tasks through the administration console. Adding a Node to the Cluster To add a node to the cluster: 1 Verify that the cluster is healthy. All nodes must be running and communicating. All components must be in a green state. All failed nodes must be removed from the cluster. For more information about verifying that your cluster is healthy, see Section 15.4, Troubleshooting Different States, on page Download and deploy a new virtual machine (VM) for the new node. For more information, see Section 3.2, Deploying the Appliance, on page You must now initialize the appliance. Select Join Cluster as the first step to initialize the new node, then follow the on-screen prompts. For more information, see Section 3.3, Initializing the Appliance, on page 19. When initialization is complete, the browser is redirected to the tenant console and a login page will appear. 4 Log in to the tenant console as a tenant administrator. 5 In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. The new appliance should be displayed in the cluster. Wait until all spinner icons stop processing and all components are green before performing any other tasks. The cluster is adding the node and there are several background processes running. This final step could take up to an hour to complete. Promoting a Node to Master The first node that you install is the master node of the cluster by default. The master node runs provisioning, reporting, and policy mapping services. You can promote any node to become the master node. To promote a node to master: 1 Verify that the cluster is healthy. For more information, see Section 15.4, Troubleshooting Different States, on page Take a snapshot of the cluster through your VMware tools. Configuring the Appliance 27

28 3 Access the Admin page of the appliance. 3a Log in to the tenant console as a tenant administrator. 3b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 4 Click the node to become the master node on the administration console, then click Promote to master. An M appears on the front of the Node icon indicating it is now the master node. This process might take a while to complete. Watch for the Node spinner icons to stop and health indicators to turn green before proceeding with any additional configuration changes. The services move from the old master to the new master. The old master is now just a node in the cluster. WARNING If the old master node is down when you promote another node to master, remove the old master from the cluster, then delete it from the host server. Otherwise, the appliance sees two master nodes and becomes corrupted. When you switch the master node, the logs start again on the new master and reports start again on the new master. The historical logs are lost. The reporting data is also lost, unless you are using Sentinel Log Manager. For more information, see Section 12.3, Configuring the Appliance to Forward Events to Sentinel Log Manager, on page 52. Removing a Node from the Cluster You can remove a node from the cluster if something is wrong with the node. However, after you remove a node, you cannot add the same virtual image instance back into the cluster. You must delete this instance of the appliance from your host server, then deploy another instance to the host server to add a node back into the cluster. To remove a node from the cluster: 1 (Conditional) If the node you are removing is the master node, promote another node to be master before you remove the old node. For more information, see Promoting a Node to Master on page (Conditional) If you are using an L4 switch, delete the node from the L4 switch. For more information, see the L4 switch documentation. 3 Access the Admin page of the appliance. 3a Log in to the tenant console as a tenant administrator. 3b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 4 On the Admin page, click the node you want to remove from the cluster. 5 Click Remove from cluster. The administration console immediately shows that the node is gone, but it takes some time for the background processes to finish. 6 Delete the instance of the node from the host server. 7 Delete the node from the tenant console. 7a In the Security Services panel, expand Account Management Service. 7b Delete the node you removed from the Admin page. 28 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

29 5.3.3 Configuring an L4 Switch for Clustering If you want high availability or load balancing, you must configure an L4 switch for the appliance. An L4 switch can be configured in many different ways. Use the following recommendations to configure the L4 switch to work with the appliance. Heartbeat: Use the following URL to define the heartbeat for the L4 switch: The L4 switch uses the heartbeat to determine if the nodes in the cluster are running and working properly. The heartbeat URL returns a text message of Success and a 200 response code. Persistence: Also known as sticky sessions, persistence allows all subsequent requests from a client to be sent to the same node. To make this happen, select SSL session ID persistence When you configure the L4 switch. Persistence increases the performance of the appliance for the end users, by removing the delay that might occur if the client sends a request to a new node instead of using the existing session to the same node. Configuring the Appliance 29

31 6 6Importing Data Account Management Service allows you to import CSV files from HR systems or other sources to be the authoritative data source for the tenant. You can use Account Manage Service as a stand alone service for your tenant or you can use it in conjunction with IdentityAccess Service as another identity source. Most HR systems allow you export your user information into a CSV file. Account Management Service imports the CSV files for the identity data. To import the CSV files: 1 Export a CSV file from your HR system. 2 Verify that the CSV file matches the required CSV format. For more information, see Section 2.2, CSV File Requirements, on page 14. or You can map the fields in the CSV file when you configure the HR Feed collector. 3 Access the Admin page of the appliance. 3a Log in to the tenant console as a tenant administrator. 3b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 4 In the Identity Sources palette, drag the HR FEED collector to the Identity Sources panel. 5 Specify a unique name to display in the Admin page. 6 Browse to and select the CSV file. or Select Enable polling of HTTP URL location to poll for a CSV file on a web server so the input of changes is automatic. If you select this option, you must specify your web server information. 7 (Conditional) Select the Enable LDAP server option if you are using the Account Management Service appliance to populate your IdentityAccess Service appliance. The Account Management Service appliance default configuration is to have the LDAP ports disabled on the appliance. This options enables the default LDAP ports of 389 and 636 in the firewall on the Account Management Service appliance. With this option enabled, the IdentityAccess Service appliance can communicate with the Account Management Service appliance. 8 (Optional) Click Advanced Options, map the fields from your CSV file to the required mapping for the Account Management Service. 9 Click OK to save the configuration, then click Apply to commit the changes to the appliance. After you have imported the identity data you must add authorizations for each connector so that the identity data is populated in the connected systems. Proceed to Chapter 9, Mapping Authorizations, on page 43. Importing Data 31

33 7 7Mapping Schema The Account Management Service populates identity data from the CSV file into the connected systems. The CSV file comes from different applications and the connected systems are different applications. All of the applications involved in the synchronizations process contain a different schema. You must be able to map to the schema in the different applications for the identity information to be populated correctly by Account Management Service. It is a manually process to map the schema between the CSV file and the connected system. You must ensure that the fields in your CSV file match the schema defined in Account Management Service. You must also understand what the schema output is to the connected systems so that the identity data follows correctly. There is no tool to map the schema to ensure that the integrity of the internal schema on the Account Management Service appliance. If some how, you were able to change the internal schema, the identity data information would stop flowing between the CSV file and connected systems. The CSV schema is also listed in the requirements. If the CSV file does not match the listed schema, the identity data is not imported in to the appliance. For more information, see Section 2.2, CSV File Requirements, on page 14. The Account Management Service contains default connectors. Each connector has a different schema mapping. The following sections define the schema mapping between what must be in the CSV file and what the output is in the connected system. 7.1 Schema Mapping for the Connector for LDAP Use the following information to make any changes in your schema of the CSV file and what the output of the schema is for your LDAP directory. If your schema does not match the information in the CSV column, you must manually change your schema to match what is listed. The information in the LDAP columns lists the output schema into your LDAP directory. NOTE: All of the information listed in the table is case sensitive. Ensure that you use the proper case for all of the attributes listed. The CSV file is the export of your identity data from the HR system. The identity data in the CSV file contains fields that become attributes on the inetorgperson class in the LDAP directory. The following table shows what fields Account Management Service allows into the appliance and how the appliance maps the fields from the CSV file to the attributes in the LDAP directory. Table 7-1 Connector for LDAP Schema Mapping CSV Fields UserName FirstName LastName MiddleInitial LDAP Attributes CN givenname sn Initials Mapping Schema 33

34 CSV Fields LDAP Attributes GenerationalQualifier FullName fullname Prefix PreferredName AddToGroup RemoveFromGroup DeleteGroup TelephoneNumber telephonenumber Password PreferredLanguage Title Title JobCode WorkforceID CostCenter CostCenterDescription EmployeeStatus EmployeeType Company Department OU DepartmentNumber Location L Mailstop StreetAddress SA City State st PostalCode Country OfficeNumber MobileNumber FaxNumber facsimiletelephonenumber PagerNumber mail InstantMessengerID 34 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

35 CSV Fields LDAP Attributes ManagerWorkforceID Description POBox AccessCardNumber Delete DisableUser 7.2 Schema Mapping for the Connector for JDBC Use the following information to make any changes in your schema of the CSV file and what the output of the schema is for your JDBC database. If you schema does not match the information in the CSV column, you must manually change your schema to match what is listed. Table 7-2 Connector for JDBC Schema Mapping CSV Fields JDBC UserName FirstName LastName MiddleInitial GenerationalQualifier FullName Prefix PreferredName AddToGroup RemoveFromGroup DeleteGroup TelephoneNumber Password PreferredLanguage Title JobCode WorkforceID CostCenter CostCenterDescription EmployeeStatus Mapping Schema 35

36 CSV Fields JDBC EmployeeType Company Department DepartmentNumber Location Mailstop StreetAddress City State PostalCode Country OfficeNumber MobileNumber FaxNumber PagerNumber InstantMessengerID ManagerWorkforceID Description POBox AccessCardNumber Delete DisableUser 36 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

37 8 8Populating Identity Data After you have imported the identity data in to the Account Management Service appliance, you can export the identity data to populate multiple connected systems. If you are using IdentityAccess Service you can use Account Management Service to populate your identity sources. 8.1 Exporting Identity Data to a CSV File You can export the identity data to a CSV file to import in to other applications. To export the identity data: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 In the Applications palette, drag the Identity Output connector to the Applications panel. 3 Change the display name, if appropriate. 4 Select Export existing users. 5 Click OK, then click Apply to save the changes and generate the CSV file. Account Management Service exports all of the identity information in to a CSV file and zips the file. When the file is ready, a download link appears in the Configuration tab of the Identity Output connector. 8.2 Populating Identity Data to the IdentityAccess Service You can use Account Management Service as an identity source for IdentityAccess Service. You can configure the identity source only after the IdentityAccess Service appliance is running. Populating the identity data to the IdentityAccess Service appliance: 1 Deploy an IdentityAccess Service appliance. For more information, see Identity as a Service Powered by NetIQ IdentityAccess Service Installation Guide. 2 Access the Admin page of the appliance. 2a Log in to the tenant console as a tenant administrator. 2b In the Security Services panel, next to IdentityAccess Service, click the Launch administrative console icon. 3 In the Identity Sources palette, drag the Account Management Service identity source icon to the Identity Sources panel. 4 Use the following information to configure the Account Management Service identity source. Account Management Service Server: Specify IP address or the DNS name of the Account Management Service server. Populating Identity Data 37

38 Username and Password: Specify the tenant name and password for the Account Management Service server. 5 Click OK to save the configuration information. 6 Click Apply to commit the changes to the appliance. You must repeat this procedure for each of your tenants that you want to use the Account Management Service appliance as the identity source. 8.3 Populating Identity Data to a JDBC Database You can use Account Management Service to populate your JDBC database with identity data from your HR system. to populate the JDBC database, you must know and understand JDBC databases. The information provided in this section is for database administrators. Use the following sections to configure your connector for JDBC to populate your identity data from the HR system Meeting the Requirements Verify that you meet following requirements or obtain the following information before configuring your connector for JDBC: Ensure that you have completed the steps in the Chapter 7, Mapping Schema, on page 33. The supported type of JDBC database. (Microsoft SQL Server 2008 or 2014, Oracle Database 10.2 or 11.1) The IP address of the JDBC database. The port for communication. The default port is 1433 for Microsoft SQL or 1521 for Oracle Database. The database name or sid. (idm for Microsoft SQL, defines as the sid in Oracle Database) The script files must be installed before you can populate the JDBC database. For more information, see Obtaining the Script Files on page 38. The password for the user name in the sample scripts you install. For more information, see Obtaining the Script Files on page Obtaining the Script Files To populate your JDBC database with identity data, you must install script files on your JDBC database so that the Account Management Service appliance knows what tables to populate. You download the script files when you configure the connector for JDBC. You download a single zipped file that contains multiple scripts. The different scripts are: indirect_install: Installs the schema, which includes the indirect tablespace and proc_authuser () stored procedure, as well as the automatic triggers for the indirect.usr and indirect.grp tables. unistall: Removes the schema and deletes or drops the connector user accounts in the underlying database. 38 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

39 8.3.3 Configuring the Connector for JDBC After you have met the requirements, you must configure the connector for JDBC. To configure the connector for JDBC: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to Account Management Service, click the Launch administrative console icon. 2 In the Applications palette, drag the connector for JDBC icon to the Applications panel. 3 Download and install the sqlscripts.zip file on your JDBC database. 4 Select the type of JDBC database you have. The options are MS-SQL or Oracle. 5 Specify the IP address and port for the JDBC database. 6 Specify the your database name, user name and password. NOTE: The scripts contain the database name, user name and password. If your database name is different from the name specified in the scripts, you must change the script files. 7 Read and accept the 3rd party license agreement. 8 Click OK, then click Apply to save the connector. After you have configured the connector for JDBC, you must grant authorizations to the users. Proceed to Chapter 9, Mapping Authorizations, on page 43 to complete the population of your JDBC database Populating the JDBC Database The JDBC scripts create the indirect.usr and indirect.grp tables in your JDBC database. The connector for JDBC populates these tables with identity data when the appliance creates new data or modifies existing data.the connector populates the tables with the user information. You or your DB administrator, must then define triggers to move the identity data from the indirect tables into the tables in your database that contain the identity data. By default, the connector populates the following columns. indirect.usr.idu indirect.usr.username indirect.usr.lname indirect.usr. (Mandatory only for Salesforce accounts) 8.4 Populating Identity Data to LDAP Directories Account Management Service contains a connector for LDAP that allows you to populate different LDAP directories with identity data from your HR system. You must use a separate connector for LDAP for each directory that you want to populate. Use the following sections to configure your connector for LDAP. Populating Identity Data 39

40 8.4.1 Meeting the Requirements Verify that you meet the following requirements or obtain the following information before configuring a connector for LDAP. Ensure that you have completed the steps in the Chapter 7, Mapping Schema, on page 33. Ensure that your LDAP directory supports LDAPv3. A user account that has administrative rights access to the LDAP directory. This administrative account must be able to create and modify account as well as set passwords on the user accounts. The IP address and SSL port of the LDAP directory server. If you are using Active Directory, ensure that all of the user names across the Active Directory domain (samaccountname) are unique no matter where they reside in the domain Configuring the Connector for LDAP After you have met the requirements, you must configure the connector for LDAP. To configure the connector for LDAP: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to Account Management Service, click the Launch administrative console icon. 2 In the Applications palette, drag the connector for LDAP icon to the Applications panel. 3 Use the following information to configure the settings for the connector: Credentials > Username and Password: Specify a user name in LDAP DN format of a user with administrative rights to the accounts in the LDAP directory. You must also specify the user account s password. Target LDAP Context: Specify the target or parent container in the LDAP directory where the user accounts will be created. In the Advance Options, you can select the type of placement you want for the user accounts. LDAP Directory Server: Specify the IP address and SSL port of LDAP server. IMPORTANT: If you are using Active Directory as your LDAP directory, you must enable SSL to send passwords to the user accounts. You can add more than one server that holds a replica of the user accounts. Advanced Options: The connector for LDAP has additional options that you can change to customize how the connector works. All of the following options have default values that the connector uses, unless you change the options. Account Entitlement: Select how the connector handles when you revoke the entitlement or authorization of the user account. The options are: disable user (default option) delete user do nothing 40 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

41 Placement in Target LDAP: Select where the connector places the user accounts in the LDAP directory. The connector does not create or place groups. flat: (default option) The connector places all user accounts in the container you specified in the Target LDAP Context field. department (OU): The connector places all user accounts in departments you define in the OU attribute on the user account. location (L): The connector places all user accounts in the location you define in the L attribute on the user account. Target Account Naming: Select how the connector names your new user accounts. UserName: (default option) The connectors creates the user account names with the information in the cn attribute on the user account. FirstName.LastName: The connector creates the user accounts with a lowercase name using the firstname attribute separated by a period and the lastname attribute. Address: The connector creates the user accounts using the address as the user account name. 1st Letter FirstName + LastName: The connector creates the user accounts with a lowercase name using the first character from the firstname attribute and the lastname attribute with no separator. FirstName + 1st Letter LastName: The connector creates the user account with a lowercase name using the firstname attribute and the first character of the lastname attribute with no separator. 4 Click OK, then click Apply to save the connector. After you have created the connector, you must authorize the accounts to be created in the LDAP directory. Proceed to Chapter 9, Mapping Authorizations, on page 43. Populating Identity Data 41

43 9 9Mapping Authorizations Most companies define their business policies through authorization assignments. Examples of authorizations are groups, roles, and profiles. These authorizations are different depending on each connected system. Authorizations allow Account Management Service to populate the connected systems through your business policies. Account Management Service provides a simple solution that allows you to map your identity data roles (groups) to the connected system authorizations. The Policy Mapping page maps the authorizations from Account Management Service to the roles (groups) in the connected systems. 9.1 Prerequisites Verify that you meet the following prerequisites before mapping authorizations to the connected systems. Configure the appropriate connectors for your environment. Ensure that roles (groups) exist in Account Management Service. 9.2 Loading Authorizations To map an authorization, you must load the authorization into the Policy Mapping page. To load authorizations into the Policy Mapping page: 1 Verify that you have configured the SaaS application connectors that provision users. 2 Access the Admin page of the appliance. 2a Log in to the tenant console as a tenant administrator. 2b In the Security Services panel, next to Account Management Service, click the Launch administrative console icon. 3 Click Policy to open the Policy Mapping page. 4 In the right pane, click the down arrow next to the connector, then select your connected system connector. If the Policy Mapping page does not display the connected system connector, you did not configure the connector properly. Successfully completing these steps populates the Policy Mapping page with the connected systems authorizations. 9.3 Reloading Authorizations When you perform a switch master with the cluster nodes, or if you add new roles in Account Management Service, you must reload the authorizations on the Policy Mapping page. Mapping Authorizations 43

44 To reload authorizations: 1 To reload roles (groups) from Account Management Services, click the Reload table icon at the end of the Roles table. 2 To reload authorizations from the connected systems, click the Reload table icon at the end of the Authorizations table. 9.4 Mapping Authorizations After the authorizations load, map the connected systems authorizations to the Account Management Services roles (groups). To map authorizations: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to Account Management Service, click the Launch administrative console icon. 2 Click Policy at the top of the page. 3 In the right pane of the Policy Mapping page, click the down arrow, then select the appropriate connected system connector. 4 In the Role Name column on the left, select the role (group) from the identity source you want to map to an authorization from the selected SaaS connector. 5 In the right pane, drag and drop the appropriate authorization from the SaaS connector to the left mapping pane. or In the left pane, drag and drop the appropriate group from the identity source to the right mapping pane. 6 Click OK to map the SaaS authorization to the identity source group. The mapping grants access for users that are members of the Account Management Service roles to the connected system authorization. 44 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

45 10 10Configuring Account Claim for Users After the appliance has synchronized the user accounts to the connected systems, the users cannot log in to the connected systems until they claim their account. The user must access a specific URL and then change the default password to claim their account. The account claim is a part of the Self-Service User Store (SSUS) feature. After you enable the service, the users can immediately begin to claim accounts Configuring Self-Service User Store for Account Claim By default, Account Management Service requires users to have a valid account to claim the account. When a user changes their password, they receive a password change notification . You can also configure which service options your users can use when they claim their account. The services include allowing users to change their password and setting forgotten password challenge response questions. Use the following steps to enable the SSUS service for account claim. You must repeat this process for each tenant where you want to enable account claim. To enable the SSUS service for account claim: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel next to Account Management Service, click the Launch administrative console icon. 2 In Identity Sources palette, drag the Self-Service User Store icon to the Identity Sources panel. 3 In the Identity Sources panel, click the new identity source, then click Configure. 4 In the Configuration tab, decide what options you want presented to your users and help desk administrators. 5 Click OK to enable the service. 6 In the System Configuration panel of the administration console, click Apply to activate and start SSUS as a service. 7 Wait for the SSUS service to be activated and started across all nodes in the cluster. In the Appliances panel, the icon on each node of the cluster spins until the service is ready on the node. Do not apply additional changes until this action is complete on all nodes. Configuring Account Claim for Users 45

46 10.2 Using the Account Claim Service By using the default option of , when the users change their passwords, they received a password change notification . If you configured SSUS before import users with the CSV file, Account Management Service automatically sends s to the users that contain their user name, a temporary password, and the URL they need to access to change their password. However, you must have define the users addresses in the CVS file for this feature to work. If you did not configure the users s, you must supply the following URL for users to access and provide the users with their account name and password through what ever means you have to distribute that information. The users access the site and login with their user name and password. The site prompts them to change their password and set up the challenge response questions. The challenge response questions allow the users to change their own password when the forget the password. If you imported the CSV file without configure SSUS or the users addresses, you can still get the appliance to send the automatic s. For more information, see Section 15.7, Troubleshooting Automatic s for Users Passwords, on page Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

47 11 11Using Identity Manager Drivers The Account Management Service appliance allows you to import and use Identity Manager drivers. The Identity Manager drivers allow you to either populate the appliance with user accounts or the drivers can be used to connect and populate other systems. The Account Management Service appliance does place restrictions and limitations on the types of drivers you can import Restrictions for the Identity Manager Drivers For this section, you must have detailed knowledge of Identity Manager and its tools. For more information, see Identity Manager 4.5 documentation website. To use the Identity Manager drivers with the Account Management Service appliance, your Identity Manager driver must comply with the following restrictions: The driver must be unidirectional. You can have only a subscriber channel or a publisher channel for the driver. The Account Management Service appliance does not support bidirectional drivers. All of the policies for the driver must be written in DirXMLScript. Every possible deployment configuration option for the driver must be a Global Configuration Value (GCV). Structured GCVs are supported to level one with the default values you defined in Designer. Account Management Service does not allow you to modify or change any values. If you need to change the values, you must change the values in Designer. IMPORTANT: The Connector Toolkit, Services Director, nor the Account Management Services administration console allows you to edit or change your GCVs or the DirXMLScript for the driver. If you need to modify the driver, you must make all of your changes in Designer, export the driver, and then create a new version of the connector with the changes Importing the Identity Manager Drivers Identity Manager has drivers and the Account Management Service has connectors. You must import your driver (XML file) in to the Connector Toolkit to create a connector template from the driver. You reuse this connector template to create a connector for each tenant. To import the Identity Manager driver: 1 In Designer, export the Identity Manager driver. 2 Log in to the provider console as a provider administrator: Director_DNS_Name/css/Provider 3 In the Tools panel, click the SSO Connector Tool. 4 Click New > Embedded. Using Identity Manager Drivers 47

48 5 Specify a name and version number for the new connector. 6 Browse to and import the XML file of the driver and an icon for the driver. You see the icon in the provider console and the Account Management Service administration console. 7 Click Save to create the new connector template Exporting or Publishing the Connector Template After you create the connector template, you must either export or publish the connector template. The first step when creating a connector is to import the connector template. Exporting the connector template creates a file you can use on another system. When you publish a connector template, the Services Director provider console exports the connector template and then imports it automatically into your existing system. To export the connector template: 1 Log in to the provider console: Director_DNS_Name/css/Provider 2 In the Tools panel, next to SSO Connector Tool, click the Launch SSO Connector Tool icon. 3 Highlight the connector template you created, then click Export. 4 Save the ZIP file for use on another system. To publish the connector template: 1 Log in to the provider console. 2 In the Tools panel, next to SSO Connector Tool, click the Launch SSO Connector Tool icon. 3 Highlight the connector template you created, then click Publish. 4 Read the message, then click Close Displaying Connectors for Tenants By default, tenants cannot see any connectors. You have to assign a connector to a tenant for the connector to display in the Applications palette of the Account Management Service appliance. If you unassign a connector from a tenant, and the tenant does not have the connector configured, the tenant can no longer see the connector in the Applications palette. If the tenant has already configured the connector, the configured connector stays configured in the Account Management Service appliance and still is functional. However, the Appliance palette no longer contains the connector and the tenant cannot configure any additional connectors. To assign a connector to a tenant: 1 Log in to the provider console as a provider administrator. Director_DNS_Name/css/Provider 2 In the Security Services panel, click Account Management Service. 3 Click the connector you want to assign to a tenant. 4 Click the green arrow next to the tenants you want to assign to the connector. 5 Click Save to save the assignment. 6 Repeat the procedure for each connector. 48 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

49 After you have assigned the tenants to the connectors you need to configure the connector for each tenant or have the tenant configure the connector Configuring the Identity Manager Drivers After you have created, published, and assigned the connector to the tenant, you must configure the connector for each tenant. To configure the new connector: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 For publisher drivers, in the Identity Sources palette, drag the new connector to the Identity Sources panel. 3 For subscriber drivers, in the Applications palette, drag the new connector to the Applications panel. 4 (Conditional) If the driver uses the Remote Loader, you must specific a Remote Loader password, then copy the certificate file and add the file to the 4a You must specify a Remote Loader password. 4b Copy the certificate from the connector configuration information. 4c Launch the Remote Loader. 4d Specify the same Remote Loader password here as you did in the Account Management Service. 4e Paste the certificate in to the Remote Loader instance for this connector. 5 Configure the driver using the GCVs that the administration console displays for the connector. 6 Click OK to save the configuration information. 7 Click Apply to commit the changes to the appliance. The Connector Toolkit, Services Director, nor the Account Management Services administration console allows you to edit or change your GCVs or the DirXMLScript for the driver. If you need to modify the driver, you must make all of your changes in Designer, export the driver, and then create a new version of the connector with the changes. Using Identity Manager Drivers 49

51 12 12Reporting The Account Management Service appliance provides the ability to view the users and groups you imported from your HR system. The appliance also provides the option to use Google Analytics as an external dashboard, or to forward events to Sentinel Log Manager or a syslog server Viewing Users and Groups You can view the users and groups that you imported in to the Account Management Services appliance. To view users and groups: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 Click the Reports tab. 3 Click HRFeed, then click Run. 4 Select whether you want to see Users or Groups. 5 In the Filtered by field, enter the name of the user or groups you want to view, then click View. 6 Click OK to close the viewer Using Google Analytics as an External Dashboard The appliance enables administrators to use Google Analytics as an external dashboard to monitor and analyze usage. After you have completed the free Google Analytics registration process for the appliance, data is available for analysis within a few hours. You can also do your own data mining with the API that Google provides. For more information, see the Google Analytics website ( To set up Google Analytics for the appliance: 1 (Conditional) If you do not already have a Google account, set one up on the Google website. 2 Sign in to your Google account and select the option to register for Google Analytics. 3 Select the option to monitor a website and provide the base URL for the appliance. Google Analytics tracks both user and admin logins. For example, 4 Specify an account name. This account name is only for managing Google Analytics and does not affect anything in the appliance. You can share this account name as needed. 5 Access the Admin page of the appliance. 5a Log in to the tenant console as a tenant administrator. 5b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 6 In the Tools palette, drag the Google Analytics icon to the Tools panel. Reporting 51

52 7 Enter the Tracking ID (not the tracking code) that Google provided during the registration process and click OK. 8 Click Apply and wait for the appliance to update. NOTE: If you have any issues with configuring the Google Analytics tool in the administration console, such as the tool being invisible on the Tools palette, verify that you do not have any adblockers running in your browser that might be interfering with administration tasks. You should be able to disable any adblockers on the web page itself Configuring the Appliance to Forward Events to Sentinel Log Manager The appliance can forward events to Sentinel Log Manager 1.2.x if you want more detailed reports. To integrate the appliance with Sentinel Log Manager: 1 Configure Sentinel Link in Sentinel Log Manager. For more information, see the Sentinel Link Overview Guide ( documentation/sentinel70/sentinel_link_overview/data/bookinfo.html). 2 Open TCP port 1290 on the Sentinel Log Manager server. 2a To change the port, ssh in to the Sentinel Log Manager server as root. 2b At the command prompt, enter yast firewall. 2c Select Advanced > Allowed Services, then manually add port 1290 to the list of TCP ports. 3 Access the Admin page of the appliance. 3a Log in to the tenant console as a tenant administrator. 3b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 4 In the Tools palette, drag the Sentinel icon to the Tools panel. 5 Click the Sentinel icon, then click Configure. 6 Specify the IP address and port of the Sentinel Link server. 7 Click OK, then click Apply to save the changes. The appliance appears as another event source in Sentinel Log Manager Configuring the Appliance to Forward Events to a Syslog Server You can configure the appliance to forward various events to a syslog server. Event types that are forwarded include Login, Logout, Register Device, Un-register Device, and Failed Login. 52 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

53 To configure the appliance to forward events to a syslog server: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 In the Tools palette, drag the Syslog tool to the Tools panel. 3 Click the Syslog icon, then click Configure. 4 Use the following information to configure the Syslog tool: 4a Specify the IP address and the port of the syslog server. 4b Select the type of protocol to use: UDP, TCP, or TLS. 5 Click OK, then click Apply to save the changes. Reporting 53

55 13 13Maintenance Tasks Account Management Service allows you to change various appliance configuration settings as needed. For example, moving your appliance from a staging configuration to a production environment requires changes to the networking components Configuring Session Timeouts The admin session timeout is set to 5 minutes and is not configurable. The user session timeout is set to 10 minutes by default and is configurable. To change the user session timeout: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 On the Admin page, click the Cluster icon at the bottom of the page, then click Configure. 3 Adjust the setting in the User session timeout field as needed, then click OK Changing the IP Address You can change whether a node uses DHCP or a static IP address on the Admin page. To change the IP address: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 Click the Node icon, then click Configure. 3 Select whether the appliance uses DHCP or a static IP address. If you select to use a static IP address, you can change the required values for the subnet mask, default gateway, and the DNS server. 4 Click OK to save the changes, then click Apply to apply the changes to the appliance Changing Public DNS Name or NTP Server Settings, or Uploading New Certificates The appliance contains self-generated certificates. You can upload custom certificates through this interface. You can also change the public DNS name or NTP server if necessary. Maintenance Tasks 55

56 To change the appliance settings: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 Click the Cluster icon under Appliances, then click Configure. 3 Change the key pairs, NTP server, or public DNS name, then click OK. 4 Click Apply to apply the changes to the appliance. Expired key pair certificates prohibit changes from being made to this page and make the key pair field red Updating the Appliance Account Management Service provides an update channel for keeping your tenant s appliances current with the latest security fixes, bug fixes, and feature updates. Updates work only if you have registered each node in the cluster. For more information, see Section 4.3, Registering the Appliance, on page 21. Updates are different from upgrades. Updates are for changes between minor versions. For example, updates are for changes from 2.0 to 2.1. Updates do not work for major version changes from 2.1 to 3.0. For more information about upgrades, see Chapter 14, Upgrading the Appliance, on page 59. When an update is available for one or more nodes in the cluster, the Account Management Service Admin page displays a flag icon in the upper right corner of the window. You can also configure the appliance to send an notification when an update is available. When you click the flag icon, you can see the version of the pending update, instructions on how to apply the update, and the Release Notes associated with the update patch. The flag icon for the update channel appears only if you are logged in to the Admin page with an administrator account. Other consoles do not display the flag icon. Account Management Service automatically checks the NCC channel for updates once daily at 11:23:23 p.m. and downloads any available update. You can also manually check for updates any time by clicking Tools > Check for updates on the Admin page. You can download and install an update as soon as the flag appears on the Admin page, or you can wait for Account Management Service to download the update that night, to minimize network impact due to possible size of an update. WARNING: If you download and update in the same step and the download is interrupted or incomplete, the update fails. The appliance might become unresponsive or seem to be in a restart loop. If this occurs, download the update, then go back to the snapshot and try again to apply the update. NetIQ recommends always keeping your appliance up to date. However, updates are cumulative, so if you miss an update you can just install the next one when it is available. IMPORTANT: If you apply an update to one node, you must apply the update to all the other nodes in the cluster. Update one node at a time. Ensure that the update was successful and the node is still working properly before you begin updating the next node. Do not perform any other administrative tasks requiring an Apply command, and do not switch the master node, until all nodes have been successfully updated to the same version of Account Management Service. 56 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

57 This process allows you to run in a mixed environment while updating each node. Once you have applied all available channel updates, the flag icon goes away. To apply an update: 1 Take a snapshot of each node in the cluster to create a backup. 2 Click the appropriate node, then click Apply update. Account Management Service displays status messages during the installation of the update and the rebooting of the node. 3 After the update completes and the node restarts, click About on the node to verify the updated version. 4 Verify the health of the updated node and all of the nodes in the cluster. Ensure that all icons are green. For more information, see Section 15.2, Displaying Health, on page Repeat Step 2 through Step 4 for each node in the cluster. 6 When you are sure all of the nodes in the cluster are working as expected, delete the snapshot Shutting Down or Rebooting a Node You can shut down or reboot a node in the cluster if necessary. NOTE: If you shut down the node in a single node cluster, the administration console becomes inaccessible. You must then use vsphere to power on the node. Similarly, if you reboot the node in a single node cluster, the administration console is inaccessible until the reboot is complete. To shut down or reboot a node: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 Click the node that you want to shut down or reboot, then click Shutdown/Reboot on the menu. 3 In the confirmation window, click Shutdown or Reboot. 4 (Conditional) Wait for the node to reboot, or use vsphere to power the node back on Recovering from a Disaster IMPORTANT: Use these steps only for disaster recovery. Never restore one snapshot. The appliance contains a database that is time-sensitive. Restoring one node only and not the others causes corruption in the appliance. Use snapshots of the nodes to recover from a disaster. It is important to take snapshots of each node in the cluster regularly so you do not lose information. Maintenance Tasks 57

58 To recover from a disaster: 1 On a regular basis, take snapshots of the nodes in the cluster. 1a Power off the working node, then take a snapshot. NetIQ recommends this method, but it requires that you shut down and restart the node to take the snapshot. or Take a snapshot of the running node, ensuring that you include the virtual machine s memory. Including the memory in the snapshot requires more time and space to store the snapshot, but taking a snapshot of a running node without the memory can result in corruption. 1b Repeat Step 1a for each node in the cluster, within a short time. 2 When a failure happens, restore the master node snapshot first. 3 Restore the other nodes in the cluster. 58 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

59 14 14Upgrading the Appliance Upgrading the Account Management Service appliance is a manual process and it is different that updating the appliance. Upgrading the appliance is when you move to a major version of the product. For example you upgrade from 2.1 to 3.0. You can update the appliance from 2.0 to 2.1. For more information about updates, see Section 13.4, Updating the Appliance, on page 56. To upgrade the nodes in the cluster, use the following procedure. WARNING: Ensure that the cluster is healthy before promoting a new node to be the master node. If you delete the old master node before you have a valid new master node, adding a new node to the cluster fails. To upgrade the appliance: IMPORTANT: After every step in the procedure, verify that all components are healthy and in a green state. If components are not healthy and you proceed to the next steps, the upgrade process fails. For more information about verifying the health, see Section 15.4, Troubleshooting Different States, on page Take a snapshot of each node in the cluster to create a backup, including the master node. 2 Click one of the old nodes, then click Remove from Cluster. IMPORTANT: You can remove any existing node that is not the master node. For more information, see Removing a Node from the Cluster on page Delete the old node from the host server and the L4 switch. 4 Using the new version of the appliance, install a new node into the cluster using the new virtual image. For more information, see Section 5.3, Configuring Clustering for the Appliance, on page Promote the new upgraded node to be the master node. For more information, see Promoting a Node to Master on page After the new master node is healthy and in a green state, repeat Step 2 through Step 4 for each remaining node in the cluster. 7 After the nodes are healthy in the Account Management Service Admin page, you must delete the red nodes from the tenant console. 7a In the Security Services panel, expand Account Management Service. 7b Delete the red nodes. Upgrading the Appliance 59

61 15 15Troubleshooting Use the information in the following sections to troubleshoot any issues you might encounter Troubleshooting the Appliance Initialization If the initialization fails, the initialization page displays a link for log files. Click the link to download the log files that provide information about the failure. If you call technical support for help, they will need these log files to troubleshoot your problem Displaying Health The appliance displays health status information for each node and for the cluster on the Admin page. Hover the mouse over each node to display the health status of the node. If you want more details, click the node, then click Show Health. The appliance refreshes health status information every five minutes. When you click Show Health, the appliance displays the status for each component of the appliance. If the status is anything other than green (healthy), use the troubleshooting tools to determine what is wrong Using Troubleshooting Tools The appliance provides troubleshooting tools to help you resolve problems. To access these tools: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 Under Appliances, click the Node icon, then click Enter troubleshooting mode. 3 Click the Node icon again, then click Troubleshooting tools. 4 Select one or more of the troubleshooting scenarios listed. 5 Duplicate the error or condition. 6 Click Download Account Management Log Files to download the logs. After you obtain the logs, turn off troubleshooting mode by clicking the Node icon again and then clicking Exit troubleshooting mode. Leaving the logs running affects the performance of your appliance. All of the log files in Table 15-1 are included in the download, no matter what scenario you select. The scenario you select determines the amount of data displayed in the log files. Search the appropriate log file for errors while troubleshooting issues. Troubleshooting 61

62 Table 15-1 Troubleshooting Log Files Feature Initialization or commands Logs ConfigurationReplicator.log ConfigurationReplicator_RL.log messages boot* packageoperations.log dserv.log firewall Admin.html UI Registration Updates adminui.log register.log zypper.log downloadupdate.log afterupdate.log beforeupdate.log rpmsafterupdate.log rpmsbeforeupdate.log rpmsupdatediff.log 300_appliance_SnapshotUconPackages.sh.log Mapping RolesandResourceServiceDriver.log UserApplicationDriver.log Reporting ManagedSystemGatewayDriver.log DataCollectionServiceDriver.log 15.4 Troubleshooting Different States The appliance displays indicators for the current state of the different appliance components. The display refreshes every five minutes, though the appliance might not immediately display the change. The following sections list the different components, the possible states, and troubleshooting steps you can take when the state changes Master Node Health The master node is responsible for all administration functions in Account Management Service. If the master node is not running, the following functions do not work: provisioning or deleting user accounts, mapping authorizations, system roles, and reporting. Other nodes in the cluster continue to capture and cache events, but do not send those events to the master node until it is running again. Similarly, event forwarding to Sentinel does not work as long as the master node is down. 62 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

63 Front Panel of the Node The indicator on the front panel of the node displays the health state of the node. Figure 15-1 Front Panel The states are: Green: The node is healthy. Yellow: The node cannot communicate with the other nodes within the five minute refresh. Red: The node cannot communicate with the other nodes within two of the five minute refresh cycles. Clear: The node is initializing or the state of the node is unknown. Perform the following troubleshooting steps in the order listed if the state is anything but green: 1. Wait at least five minutes for the display to refresh and display the current state. 2. Click the node, then select Show health. Show Health displays which part of the appliance is having issues. 3. If Show Health displays a problem, use the troubleshooting tools to gather logs. For more information, see Section 15.3, Using Troubleshooting Tools, on page Restart the appliance, then wait at least another five minute cycle for all nodes to display the current state Top of the Node The indicator on the top of the node shows whether the Apply commands completed successfully. Figure 15-2 Top of the Node The states are: Green: All Apply commands completed successfully. Red: The Apply commands did not complete successfully. Perform the following troubleshooting steps in the order listed if the state is red: 1. Mouse over the top of the node to see the status of the last Apply command made on the node. Troubleshooting 63

64 Tools 2. If there is not enough information in the summary, click Enter troubleshooting mode on the node, then mouse over the node again. The troubleshooting mode displays a detailed summary of the last Apply command made on the node. 3. Restart the appliance, then wait at least another five minute cycle for all nodes to display the current state. The health indicator for a tool is the small circle in the lower left corner. Only tools that report health have an indicator. Google Analytics does not have a health indicator: Figure 15-3 Tool Indicator For all tools, the Question Mark icon indicates that the tool is in an unconfigured state. Sentinel and Syslog: The states for the Sentinel and Syslog tools are as follows: Green circle: The connection to the specified address:port is healthy. Red circle: The connection to the specified address:port is not working Troubleshooting Networking Issues As an appliance administrator or network administrator, you might need to troubleshoot some basic networking issues before you can successfully initialize the appliance. For example, if your appliance boots onto the network and gets the wrong IP address or falls back to the default IP address, you can use a basic set of commands in the network troubleshooting console to help you resolve these issues. The console is in a chroot jail environment that gives you temporary connectivity to the appliance. You can use the cat command to check files such as /etc/resolv.conf and /etc/hosts, which exist in memory in the chroot environment. When you run the initialization process, the real files are updated on the system. Similarly, actions such as updating the IP address or route are not persistent and are reset if you reboot the appliance. You must run through the initialization process to set them permanently. NOTE: As long as you have not yet completed the initialization process on the appliance, you automatically have console access without login credentials. Logins to the troubleshooting console are no longer available after you have completed the initialization process. However, you can change network settings after this point using the Init screens. To troubleshoot network issues: 1 Using the vsphere client console or a similar tool, access the troubleshooting console. 64 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

65 2 (Optional) Press the Tab key twice to see all available commands. Some commonly used and supported commands are listed below. 3 (Conditional) Use the following steps if you need to change appliance network settings: 3a Delete the default route: route del default 3b Create an alias with the IP address that you want to use: ifconfig eth0:0 IP_address netmask subnet 3c Enter ifconfig again to verify that the address is now available. 3d Add a route: route add default gw gateway_ip eth0:0 3e Check connectivity to various resources: for example, ping gateway_ip or ping 3f (Conditional) If DNS name resolution is not functioning correctly, add an entry to the /etc/ resolve.conf file as follows: echo "nameserver " > /etc/resolv.conf At this point, you should have connectivity to the appliance. You can run through the initialization process and configure the appropriate settings permanently. 3g In a browser, enter replacing IP_address with the IP address that you used for your alias. 3h At the certificate warning prompt, add an exception. 3i In Step 1 - Network of the initialization process, replace the default network values with your preferred IP address and other network settings and click Next. 3j After the appliance validates your entries, click OK to apply the new settings. The appliance applies the settings permanently and restarts services as needed. If you return to the troubleshooting console, it now displays your preferred IP address. You can use the ifconfig command to verify that the new settings are working correctly. 3k Continue with the remaining initialization steps. Supported commands include the following: arp bash cat date echo ifconfig ip mkdir netcat nslookup ping pwd rm route sntp traceroute The following table provides examples of some common actions and commands. Troubleshooting 65

66 Table 15-2 Examples Action Set the IP address of the appliance. Delete the default route. Set the default route (or gateway). Update the time. Command ifconfig eth0 static_ip netmask netmask up route del default route add default gw gw_ip eth0 sntp -P no -v -r pool.ntp.org Check networking. ping traceroute Verify that DNS is working. nslookup Troubleshooting the Connector for LDAP User names across the Active Directory domain (samaccountname) must be unique no matter where the users reside in the domain. The connector searches for a matching user name in the context you specified during the configuration. The connector searches only in this context. The connector does not find the user, so it tries to add the user. Active Directory recognizes that the user exists elsewhere in the domain and returns an error of Constraint violation. Any subsequent password sets for the user fails because the target DN for the password set is not in the target location of the connector. To see if you are having this issues, set logging on the appliance to the highest level, try the provisioning action again, and then stop the logging. In the logs, search for the error Constraint violation. If you see this error, the users you are trying to add already exist in the Active Directory domain, but the users exist in a different location Troubleshooting Automatic s for Users Passwords If you want your users to automatically received s with their user name and a temporary password to claim their accounts, you must configure the Self-Service User Store (SSUS) tool on the appliance before provisioning users. Also the CSV file must have a valid address for each user to receive the automatic . If you did not configure SSUS before provisioning users, or if you did not specific a valid address for each user, you must perform the following steps: 1 Delete the imported users by using the Delete = true field in the CSV import file. 2 Configure the account claim feature. For more information, see Chapter 10, Configuring Account Claim for Users, on page Import the CSV file that contains valid addresses for each user to create the users again. For more information, see Chapter 6, Importing Data, on page 31. The users automatically receive s contain their user name, a temporary password, and link where they can go and change their password. 66 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide